F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Single Sign-On Concepts and Configuration
  3. Form-Based Client-Initiated Single Sign-On Method
Manual Chapter : Form-Based Client-Initiated Single Sign-On Method

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Form-Based Client-Initiated Single Sign-On Method

About form-based client-initiated SSO authentication

With the HTTP form-based client-initiated method of authentication, when Access Policy Manager detects the request for a logon page (URI, header, or cookie that is configured for matching the request), APM generates JavaScript code, inserts it into the logon page, and returns the logon page to the client, where it is automatically submitted by the inserted JavaScript. APM processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.

Basic configuration of form-based client-initiated SSO

To create a form-based client-initiated SSO configuration object, you must configure at least one form and include at least one form parameter. A
form parameter
 represents an input element on an HTML logon form, such as a form field for entering a user name or password, or, optionally, for entering a hidden form parameter.
Form-based client-initiated SSO configuration supports four sets of matching criteria that you can define.
Request Detection
(Required) Configures the SSO module to detect the HTTP request for the logon page by matching the HTTP URI, header, or cookie that you specify, and supports entry of multiple URIs. Requires data that is specific to the application. Request detection is successful when the request matches one of the configured items either partially or fully, depending on whether the request prefix option is enabled in Advanced Settings.
Form Identification
(Optional) Specifies how to detect the form within the HTTP body of the logon page. The default is form parameters, which enables identification of the logon form parameter fields based on the values entered for the form parameters in the general properties. Alternatively, you can specify that the form be identified using other data present in the form, such as the ID, name, or action attributes, or the form order.
Form Submit Detection
(Required) Specifies how to detect the submit request for the for a logon form. The default is an enabled auto detect option. Alternatively, you can select a scheme to use to use as an alternative to auto detect.
Logon Detection
(Optional) Configures the SSO module to detect whether logon was successful by checking for the presence of a cookie or a redirect URI. The default is
None
 (logon detection is not performed).
The majority of web applications have a single logon page with one logon form. You need to define a single form for these applications. In less usual cases when an application has multiple logon pages with different logon forms, you need to create multiple forms, one for each logon page. If multiple logon pages use the same form, you need only one form with a list of URIs for all logon pages.

How does form-based client-initiated SSO authentication work by default?

This figure illustrates the default behavior of the form-based client-initiated SSO authentication method.
Form-based client-initiated SSO default behavior
Form-based client-initated SSO Default Behavior
  1. The user logs on to Access Policy Manager and APM® runs the access policy. This populates the session variables with the user credentials.
  2. The user requests the application logon page. This GET request is passed to the application web server, verbatim.
  3. The application web server replies with 200 OK and serves the logon page.
  4. APM generates JavaScript and inserts it into the logon page before returning it to the user. The JavaScript assigns values to form parameters, as specified in the form configuration. The password parameter is assigned a password token rather than the actual user password.
  5. The JavaScript runs on the client side. The logon page is not displayed to the user; user input is locked out. Without delay, the form is submitted using POST. The form parameters and their values, including user name and password token, are sent to APM.
  6. APM then replaces the password token with the actual user password, as well as other form parameters specified in the form configuration with their configured values.
  7. The POST, along with the real user credentials from step 1, is sent to the web server.
  8. The application start page is served by the webserver, and sent to the client, verbatim. Optionally, APM performs detection of successful logon by examining HTTP response headers, looking for a cookie or redirect Location URI.

About advanced configuration options for form-based client-initiated SSO authentication

You can change some aspects of the form-based client-initiated SSO default behavior by configuring optional properties.
  • You can change the automatically generated JavaScript code that is inserted into the logon page in one of three ways using the JavaScript Insertion options. You can replace it completely with custom code, or add extra code to it by specifying the application JavaScript functions to call prior to submitting a logon form.
  • You can configure the SSO module to automatically detect the application HTTP request that submits user credentials using Form Submit Detection. If you disable automatic detection, the SSO module instead detects form submittal by using an HTTP header, cookie, or HTTP URIs that you specify.

Configuring form-based client-initiated SSO

You can use the form-based client-initiated SSO method to create form-based SSO configurations. For example, you can use this SSO method to support web applications that run JavaScript in the browser and need to maintain application state during the login process. You can also use it to support web applications that present multiple login screens.
  1. On the Main tab, click
    Access
    Single Sign-On
    Forms - Client Initiated
    .
    The Forms - Client Initiated screen opens.
  2. Click
    Create
    .
    A popup screen, Create New Forms-Client Initiated Configuration, opens.
  3. In the
    SSO Configuration Name
     field, type a name.
  4. From the
    Log Setting
     list, select one of the following options:
    • Select an existing APM log setting.
    • Click
      Create
       to create a new log setting.
  5. If you want APM to gather and log information that you can use to configure form settings, select
    Passthrough Configuration
    .
    When you start a session using this SSO configuration, APM logs the information at the NOTICE level and prefixes it with PASSTHROUGH MODE LOG. You can view the logs in the sessions report. Reports are available in the
    Access
    Overview
    Access Reports
    area of the product.
    When
    Passthrough Configuration
     is selected, APM does not validate the form settings that you configure. This enables you to gather information, configure forms, and test them freely.
    When you complete your testing, be sure to clear the
    Passthrough Configuration
     check box.
  6. If you selected
    Passthrough Configuration
     and you do not want to start configuring form settings now, click
    OK
    .
    The remainder of this procedure describes configuring form settings.
    The new form-based client-initiated SSO configuration is available for testing.
  7. Select
    Form Settings
     from the left pane.
  8. Click
    Create
    .
    The
    Create
     button is not active until you complete the General Settings by typing a name for the SSO configuration.
    You must create at least one form to complete the SSO configuration (unless
    Passthrough Configuration
     is selected on the General Settings screen).
    The Create New Form Definition popup screen opens.
  9. Type a name in the
    Form Name
     field.
  10. In the left pane, click
    Request Detection
    .
    The right pane displays required fields.
  11. From the
    Detect request for form by
     list, select an option and type the required data.
    • Cookie
       Type a name in the
      Cookie Name
       field.
    • Header
       Type a name in the
      Header Name
       field.
    • URI
       Type a URI in the
      Request URI
       field.
    The
    OK
     button becomes available.
  12. In the Advanced Settings area, select an option for
    Request Method
    .
    Specifies whether the request method is
    GET
     or
    POST
    . Defaults to
    GET
    .
  13. Select
    Form Identification
     from the left pane.
    Create New Form Definition displays in the right pane.
  14. From the
    Identify Form by
     list, select how to find the HTML logon form in the HTML body of the logon page.
  15. Select
    Form Parameters
     from the left pane.
    Form Parameters displays in the right pane.
  16. For each form parameter that you want to create, repeat these steps:
    1. Click
      Create
      .
      The Create New Form Parameter popup screen opens.
    2. In the
      Form Parameter Name
       field, type or select a name.
    3. In the
      Form Parameter Value
       field, type or select a value.
    4. For the
      Secure
       option, select
      Yes
       if applicable.
    5. Click
      OK
      .
    The screen closes, showing the Create New Form Definition popup screen, which displays the new form parameter.
  17. Select
    Form Submit Detection
     from the left pane.
    The Create New Form Definition popup screen opens.
  18. For
    Disable Auto detect submit
    , retain the default value,
    No
    .
  19. Select
    Logon Detection
     from the left pane.
  20. From
    Detect Login by
    , select an option for detecting a successful login and type any required data:
    • None
      .
    • Presence of Cookie
       Type a name in the
      Cookie Name
       field.
    • Redirect URI
       Type a URI in the
      Redirect URI
       field.
  21. Click
    OK
    .
    The screen closes, displaying the Forms - Client Initiated screen for SSO Configurations.
The new form-based client-initiated SSO configuration is available for use.

Forms-based client-initiated SSO configuration settings

These settings are available when you create a form-based client-initiated SSO configuration.

General settings

Setting
Description
SSO Configuration Name
Specifies the name of the configuration. It must be unique.
SSO Description
Specifies a description. This is an optional setting.
Log Setting
Specifies at what level of detail the system logs. Valid values are listed. Defaults to
Notice
.
Passthrough Configuration
This option helps administrators configure SSO
Form Settings
.
Form Settings
 are not mandatory when this option is enabled. When starting a session with SSO passsthrough enabled, the relevant form settings information is logged in the session report. Disable
Passthrough Configuration
 after configuring
Form Settings
 correctly with the help of the session passthrough logs.

Form settings

General Properties
Setting
Description
Form Name
Specifies the name of the form. It can be any name and need not match the actual name of the HTML form.
Form Description
Specifies an optional description of the form.
Request Detection
Setting
Description
Detect request for form by
Specifies which element of the HTTP request headers is used to identify the application request for logon page: Cookie, Header, or URI. Defaults to URI.
Cookie
Specifies that the system identifies the form by the presence (default) or absence (configurable with Advanced Properties) of this cookie.
Header
Specifies that the system identifies the form by the presence (default) or absence (configurable with Advanced Properties) of a header.
URI
Specifies that the system identifies the form by a successful match (default) or failed match (configurable with Advanced Properties) against one or multiple URIs.
Advanced Settings - Request Detection
Setting
Description
Request Method
Specifies whether the request method is
GET
 or
POST
. Defaults to
GET
.
Request Negative
When selected, specifies that the system detects the form that fails to match the criteria specified for Form Detection. The system then detects the form by the absence of the specific cookie or header, or by its failure to match the URIs. The default is cleared.
Request Prefix
When selected, specifies that the system matches on a partial string. If this option is not selected, the match must be verbatim. The default is selected.
Form Identification
Setting
Description
Identify Form by
Specifies how the HTML logon form is found in the HTML body of the logon page. If there is more than one form on the logon page matching the criteria, the first match is used. Options are:
  • ID Attribute-
    Specifies that a form ID is used to find the form.
  • Name Attribute
    -Specifies that
  • Action Attribute
    -Specifies that
  • Form Order
    -Specifies that
  • Form Parameters
     (default)--Specifies that the form parameters, which have already been defined, are used to find the form. There is nothing more to configure.
Form ID
Specifies the form ID that is used to identify the form.
Form Name
Specifies the specific form name.
Form Action
Specifies the value of the action attribute.
Form Order
Specifies the relative order of the form on the logon page (starting from 1).
Form Parameters
Specifies the name and value of the form parameter and whether the parameter is encrypted.
Form Parameters
Setting
Description
Form Parameter Name
Specifies the name of a form parameter.
Form Parameter Value
Specifies the value of the form parameter. This is usually the name of a session variable. The value could also be a literal string or a combination of strings and session variable names.
If the session variable is not found when the SSO request is processed, the value of the corresponding POST parameter will be empty.
Secure
Specifies whether the parameter is secure. Defaults to
No
.
Form Submit Detection
Setting
Description
Disable Auto detect submit
Defaults to
No.
Scheme
Available when Disable Auto detect submit is set to Yes. Specifies how to detect submit. Options are:
  • URI
  • Cookie
  • Header
Advanced Settings - Form Submit Detection
Setting
Description
Submit Request Negative
When selected, specifies that the system detects the form that fails to match the criteria specified for Form Detection. The system then detects the form by the absence of the specific cookie or header or by its failure to match the URIs. The default is cleared.
Submit Request Prefix
When selected, specifies that the system matches on a partial string. If this option is not selected, the match must be verbatim. The default is selected.
Logon Detection
Setting
Description
Detect Login by
Specifies whether and how to detect a successful logon. Options are:
  • Presence of Cookie
  • Redirect URI
  • None
     (default)
Cookie Name
Specifies the cookie name that identifies successful logon.
Redirect URI
Specifies the redirect URI that identifies successful logon.
JavaScript Injection
Setting
Description
Injection Method
Specifies whether to use the default JavaScript that APM creates. Defaults to Auto.
  • Auto
  • Extra
  • Custom
Extra Javascript
Specifies more JavaScript to run at the end of the automatically generated JavaScript.
Review the logon page source to determine whether any JavaScript functions are called on submit.
Custom Javascript
Specifies the custom JavaScript to run in place of the automatically generated JavaScript. When you select the
Custom
 injection method, a JavaScript template is provided in the
Custom Javascript
 text area. You must modify this in order to add the appropriate form parameters.

Header Settings

Setting
Description
Header Name
Name
Header Value
Value

Form-based client-initiated SSO configuration examples

Using the examples provided for various applications, you can quickly create form-based client-initiated SSO configurations.

DWA form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Domino Web Access (DWA).
Setting
Sample value
SSO Configuration Name
ssov2-dwa
Form Name
testform
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Username
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Password
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI
/
Identify Form by
Name Attribute
Form Name
STLogonForm
Detect Logon by
Presence of Cookie
Cookie Name
DomAuthSessId
Request Prefix
Not selected

Bugzilla form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Bugzilla.
Setting
Sample value
SSO Configuration Name
ssov2-bugzilla
Form Name
tform
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Bugzilla_login
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Bugzilla_password
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI
/
Identify Form by
ID Attribute
Form ID
mini_login_top
Detect Logon by
Presence of Cookie
Cookie Name
Bugzilla_logincookie
Request Prefix
Not selected

Ceridian form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Ceridian.

Settings to configure form-based client-initiated SSO for Ceridian

Setting
Sample value
SSO Configuration Name
ssov2_ceridian
SSO Description
sourcetimepro1.ceridian.com
Form Name
auth_form
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • ClientIDInput
  • %{session.logon.last.clientid}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • SerialNumberInput
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • PasswordInput
  • %{session.sso.custom.last.password}
  • No
     (Default)
Detect Form by
URI
Request URI


/


/sta.asp

/ctagw/


/ctagw/sta.asp

Identify Form by
Form Parameters
Detect Logon by
Redirect URI
Redirect URI
https://sourcetimepro1.ceridian.com/CTA660/cta.asp?RequestID=*
Request Prefix
Not selected
Injection Method
Custom
Custom Javascript
See sample code that follows.
Disable Auto detect submit
Yes
Scheme
URI
URI


/sta.asp


/ctagw/sta.asp

Custom JavaScript

<script>
function checkInternetExplorerVersion()
// Returns 'true' if the version of Internet Explorer > 8
{
  var r = -1; // Return value assumes agreement.
  if (navigator.appName == 'Microsoft Internet Explorer')
  {
    var ua = navigator.userAgent;
    var re  = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})");
    if (re.exec(ua) != null)
      r = parseFloat( RegExp.$1 );
  }
  return ( r==-1 ) ? true : false;
}
if (checkInternetExplorerVersion()) {
  document.body.style.visibility='hidden';
  document.body.style.display='none';
}
document.body.onkeydown=function(e){return false;};
function __f5submit() {
var __f5form = document.forms[0];
__f5form.SerialNumberInput.value='%{session.sso.token.last.username}';
__f5form.PasswordInput.value='%{session.sso.custom.last.password}';
__f5form.ClientIDInput.value='%{session.logon.last.clientid}';
f_submit();
}
if (window.addEventListener) {
  window.addEventListener('load',__f5submit,false);
} else if (window.attachEvent) {
  window.attachEvent('onload',__f5submit);
} else {
  window.onload=__f5submit;
}
</script>

Logon Page customization in access policy

Logon Page Agent
(field 3):
  • Type:
    text
  • Post Variable Name:
    clientid
  • Session Variable Name:
    clientid
Logon Page Input Field #3:
Company ID

Variable Assign definition in access policy

session.sso.custom.last.password = expr { [mcget -secure {session.sso.token.last.password}] }

Citrix form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for some of the Citrix server product versions that F5 supports. For Citrix compatibility information, see the BIG-IP APM Client Compatibility Matrix on the AskF5 web site at
http://support.f5.com/
.
Setting
Sample value
SSO Configuration Name
sso_fbv2
Form Name
testform
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • domain
  • %{session.logon.last.domain}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • user
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • password
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI


/Citrix/AccessPlatform/auth/login.aspx


/Citrix/XenApp/auth/login.aspx


/Citrix/StoreWeb/Authentication/LoginAttempt


/Citrix/StoreWeb/ExplicitAuth/Login
Identify Form by
Action Attribute
Form Action
login.aspx
Detect Logon by
Redirect URI
Redirect URI


*/Citrix/XenApp/site/default.aspx


*/Citrix/AccessPlatform/site/default.aspx


*/Citrix/StoreWeb/site/default.aspx

Citrix Product Upgrades

When you upgrade from one Citrix product version to another, it is not unusual for the product URIs to change. When that happens, form-based client-initiated SSO will stop working until you update the SSO configuration with the new URIs for the logon form and for redirect.

Devcentral form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Devcentral.

Settings to configure form-based client-initiated SSO for Devcentral

Devcentral Configuration Example
Setting
Sample value
SSO Configuration Name
ssov2_devcentral
SSO Description
devcentral.f5.com
Form Name
auth_form
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • dnn$ctr1093548$Login$Login_DNN$cmdLogin
  • Login
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • dnn$ctr1093548$Login$Login_DNN$txtUsername
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • dnn$ctr1093548$Login$Login_DNN$txtPassword
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI


/Community/Login/tabid/1082224/Default.aspx


/tabid/1082224/Default.aspx
Identify Form by
Form Parameters
Detect Logon by
Cookie
Cookie Name
authentication
Injection Method
Extra
Extra Javascript
See sample code that follows.

Extra Javascript

WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("dnn$ctr1093548$Login$Login_DNN$cmdLogin", "", true, "", "", false, false));
__f5form.enctype = 'application/x-www-form-urlencoded';
__f5form.encoding = 'application/x-www-form-urlencoded';

Google form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Google.
Setting
Sample value
SSO Configuration Name
ssov2_google
Description
accounts.google.com
Form Name
form_auth
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Email
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Passwd
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI
/ServiceLogin
Identify Form by
Form Parameters
Detect Logon by
Presence of Cookie
Cookie Name
SID
For Internet Explorer 7 (and 8), disable the advanced setting
Display a notification about every script error
.

Oracle Application Server form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Oracle 10g Release 2 (10.1.2).
Setting
Sample value
SSO Configuration Name
ssov2_oracle
Form Name
tform
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • ssousername
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • password
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI
/sso/pages/login.jsp?site2pstoretoken=v1.2
Identify Form by
Form Parameters
Detect Logon by
Cookie
Cookie Name
SSO_ID

OWA 2010 and 2007 form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Outlook Web App (OWA) 2010 and OWA 2007.
OWA 2010 and OWA 2007 Configuration Example
Setting
Sample value
SSO Configuration Name
ssov2-owa
Form Name
tform
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • username
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • password
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI


/owa/auth/logon.aspx?replaceCurrent=1&url=


/owa/auth/logon.aspx?url=
Identify Form by
Form Parameters
Detect Logon by
Presence of Cookie
Cookie Name
sessionid
Injection Method
Extra
Extra Javascript
clkLgn()

Perforce form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Perforce.
Setting
Sample value
SSO Configuration Name
perforce-sso
Form Name
p4
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • u
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • p
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI
/p4web
Identify Form by
Form Parameters
Detect Logon by
Presence of Cookie
Cookie Name
P4W8080
Request Prefix
Not selected

Reviewboard form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Reviewboard.
Setting
Sample value
SSO Configuration Name
reviewboard-sso
Form Name
rb_logon
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • username
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • password
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI
/account/login
Identify Form by
Form Parameters
Detect Logon by
Redirect URI
Redirect URI
*/dashboard
Request Prefix
Not selected

SAP form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for SAP.
Setting
Sample value
SSO Configuration Name
ssov2_sap
Form Name
tform
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • j_user
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • j_password
  • %{session.sso.token.last.password}
  • Yes
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • uidPasswordLogon
  • Log On
  • No
     (Default)
Detect Form by
URI
Request URI
/irj/portal
Identify Form by
Form Parameters
Detect Logon by
Presence of Cookie
Cookie Name
MYSAPSSOV2
Request Prefix
Not selected

Salesforce form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Salesforce.
Setting
Sample value
SSO Configuration Name
ssov2_salesforce
Form Name
auth_form
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • username
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • pw
  • %{session.sso.token.last.password}
  • Yes
Detect Form by
URI
Request URI
/
Identify Form by
Form Parameters
Detect Logon by
Cookie
Cookie Name
inst
Injection Method
Custom
Custom Javascript
See sample code that follows.

Custom Javascript

<script>
      function checkInternetExplorerVersion()
      // Returns 'true' if the version of Internet Explorer &gt; 8
      {
      var r = -1; // Return value assumes agreement.
      if (navigator.appName == 'Microsoft Internet Explorer')
      {
      var ua = navigator.userAgent;
      var re  = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})");
      if (re.exec(ua) != null)
      r = parseFloat( RegExp.$1 );
      }
      return ( r==-1 ) ? true : false;
      }
      if (checkInternetExplorerVersion()) {
      document.body.style.visibility='hidden';
      document.body.style.display='none';
      }
      document.body.onkeydown=function(e){return false;};
      function __f5submit() {
      var __f5form = document.forms[0];
      __f5form.username.value='%{session.sso.token.last.username}';
      __f5form.password.value='f5-sso-token';
      ;
      var __f5action = __f5form.action;
      var __f5qsep = (__f5action.indexOf('?') == -1) ? '?' : '&amp;';
      __f5form.action = __f5action + __f5qsep + 'f5-sso-form=auth_form';
      __f5form.Login.click();
      }
      if (window.addEventListener) {
      window.addEventListener('load',__f5submit,false);
      } else if (window.attachEvent) {
      window.attachEvent('onload',__f5submit);
      } else {
      window.onload=__f5submit;
      }
      </script>

Sharepoint 2010 form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Sharepoint.
Setting
Sample value
SSO Configuration Name
ssov2_shp2010
Form Name
form_auth
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • ctl00$PlaceHolderMain$signInControl$UserName
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • ctl00$PlaceHolderMain$signInControl$password
  • %{session.sso.token.last.password}
  • Yes
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • ctl00$PlaceHolderMain$signInControl$login
  • Sign In
  • Yes
Detect Form by
URI
Request URI
/_forms/default.aspx?ReturnUrl=
Identify Form by
Form Parameters
Detect Logon by
Cookie
Cookie Name
FedAuth

Weblogin form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Weblogin.
Setting
Sample value
SSO Configuration Name
ssov2-weblogin
Form Name
tform
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • user
  • %{session.sso.token.last.username}
  • No
     (Default)
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • pass
  • %{session.sso.token.last.password}
  • Yes
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • submit_form
  • Submit
  • No
     (Default)
Detect Form by
URI
Request URI
/sso/login.php?redir=
Identify Form by
Name Attribute
Form Name
theForm
Detect Logon by
Cookie
Cookie Name
issosession

Yahoo form-based client-initiated SSO example

This example lists settings and values for creating a form-based client-initiated SSO configuration for Yahoo.
Setting
Sample value
SSO Configuration Name
sso_yahoo
SSO Description
login.yahoo.com
Form Name
form_login
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • login
  • %{session.sso.token.last.username}
  • No
     (Default)
Detect Form by
URI
Request URI
/
Identify Form by
ID Attribute
Form ID
login_form
Detect Logon by
Cookie
Cookie Name
PH
Injection Method
Custom
Custom Javascript
See example custom Javascript that follows.
Disable Auto detect submit
Selected
Javascript
/config/login

Custom Javascript

<script>
 //Logon page will not be hidden in IE7/8.
 //This is workaround for the problem with JS method .focus()
 //"Can't move focus to the control because it is invisible, not enabled, or of a type that does not accept the focus."
function checkInternetExplorerVersion()
// Returns 'true' if the version of Internet Explorer &gt; 8
{
  var r = -1; // Return value assumes agreement.
  if (navigator.appName == 'Microsoft Internet Explorer')
  {
    var ua = navigator.userAgent;
    var re  = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})");
    if (re.exec(ua) != null)
      r = parseFloat( RegExp.$1 );
  }
  return ( r==-1 ) ? true : false;
}
if (checkInternetExplorerVersion()) {
  document.body.style.visibility='hidden';
  var inter = setInterval(function ()
  {
    var err = document.getElementsByClassName('yregertxt')[0];
    var wcl = document.getElementById('captcha_c');
    if (err) {
      document.body.style.visibility = 'visible';
      clearInterval(inter);
    }
    if (wcl) {
      if ( wcl.style.visibility == 'hidden') {
        document.body.style.visibility = 'visible';
        clearInterval(inter);
      }
    }
  }, 1000);
};
function __f5submit() {
var adv = document.getElementById('adFrame');
if (adv) adv.style.visibility='hidden';
var __f5form = document.forms[0];
if (__f5form.login)
  __f5form.login.value='%{session.sso.token.last.username}';
__f5form.passwd.value='%{session.sso.custom.last.password}';
__f5form[".save"].click();
}
if (window.addEventListener) {
  window.addEventListener('load',__f5submit,false);
} else if (window.attachEvent) {
  window.attachEvent('onload',__f5submit);
} else {
  window.onload=__f5submit;
}
</script>

Variable Assign definition used in access policy

session.sso.custom.last.password = expr { [mcget -secure {session.sso.token.last.password}] }
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information